Sun Microsystems Inc. and Waveset Technologies Inc. are set to announce a new identity management solution that will tie human resources and other back-office systems into the IT security infrastructure. The goal: to help enterprises cut costs and maintain tighter control over who accesses their networks.
The joint offering will be a standards-based solution built on the Sun ONE Identity Server and Wavesets Lighthouse to support PeopleSofts broad portfolio of products in the HR and human capital management categories. The goal is to automate and streamline the process of establishing accounts for new employees and deleting them for people leaving the company—all the while ensuring that each person has access only to the resources to which he or she is entitled.
Sun and PeopleSoft are not alone in spotting this opportunity. A smaller security vendor, M-Tech Information Technologies Inc., this week will introduce a new version of its ID-Synch software, which performs many of the same functions and includes support for a broad range of platforms and authentication methods. Version 2.0 of ID-Synch has many new features, which should enable it to compete head-on with the Sun-PeopleSoft offering, which will be announced July 9.
"This makes a lot of sense from a technology standpoint. The value to the enterprise is clear because it ties into the HR system," said analyst Pete Lindstrom, at Spire Security LLC, in Malvern, Pa. "All the players are doing very similar things."
This offering could mark a major advancement for Sun in the security arena. Although its Identity Server is well established, Sun, based in Santa Clara, Calif., is still thought of mainly as a high-end hardware company and not a security player. But that may change if the move into identity management pays off.
M-Tech, based in Calgary, Alberta, has added a number of new capabilities to ID-Synch. The biggest addition is the automated access management feature. This enables the software to monitor a system of record, such as PeopleSoft, and look for changes in the database. For example, if an employee in the accounts payable department transfers to accounts receivable, ID-Synch will see that change in the system and automatically revoke or grant access to various applications and systems based on the users new role.
These changes are handled by an authorization workflow that then passes the requests to the systems proprietary fulfillment engine. The engine supports both SOAP (Simple Object Access Protocol) and XML and is set up as a Web service to execute the changes and adjustments that have been authorized.
ID-Synch 2.0 also includes a delegated management mode—in addition to support for centralized management—that enables departmental or regional administrators to manage local users.
"The notion of one administrator who can control the whole organization isnt practical. You need to be able to delegate some of that," said Bruce McDonald, senior product manager at M-Tech. "And the delegation works even without an LDAP directory, so youre not tied to that."
ID-Synch 2.0 encrypts all the sensitive data during transmission and while its at rest, using 128-bit International Data Encryption Algorithm encryption. The solution is delivered to customers on a hardened server.
For customers, the flexibility of ID-Synch has been a big attraction.
"Our motivation was to be able to manage all users accounts. We liked that this could expand to manage other user domains and applications down the road," said Jamey Maze, information security manager at E.W. Scripps Co., based in Cincinnati. "Flexibility was the main factor. It could do just about whatever we needed it to do."